Isabel,
Financial service providers could be scoped into TPRM. You should approach scope by determining the impact if the vendor ceased to exist or failed to perform service in an acceptable manner, if they had a data breach (what data is at risk), etc. Think through the types of risk - Financial/credit, reputational, operational, compliance, strategic, and credit.
If any of those cause your institution risk and are bound by a contract/agreement, then you should ensure oversight is commensurate with the risk and complexity of service.
------------------------------
Veralyn Hensley
------------------------------
Original Message:
Sent: 05-03-2023 05:15 PM
From: Michelle Chase
Subject: Formal Vendor Oversight/ Determining Vendors That Are In Scope and Out of Scope
Hi Isabel, we had previously scoped these kinds of relationships out of TPRM but we recently had a regulator recommend that we scope in a specific relationship based on significance of the relationship. For now we have only scoped in a single (regulator recommended) relationship as part of TPRM but will look to include other similarly significant relationships going forward. I anticipate these will be exceptions rather than the rule, for the vast majority of similar relationships contractual terms I think are sufficient.
Hope that helps,
Shelly
------------------------------
Shelly Chase
VP Operational Risk
Original Message:
Sent: 04-25-2023 04:19 PM
From: ISABEL GUERRERO
Subject: Formal Vendor Oversight/ Determining Vendors That Are In Scope and Out of Scope
Hi everyone, we have been getting mixed feedback about how to manage some vendors where as an organization, we possibly serve more as a customer to the vendor such as lease finance vendors. For example, in this case, the "vendor" that we would have go through formal TPRM would be a vendor providing financial services for us.
How are other companies managing these types of external parties? Should they be excluded from the scope of a third-party management program for oversight?
Should it just be followed/managed for contractual terms and not treated as a vendor that may need to undergo due diligence (onboarding questionnaire, risk analysis, periodic audit/questionnaire)?
I wanted to see what others are doing and generally consider best practices for these types of vendors. Your input is truly appreciated.